ipvs-sysctl.rst (11230B)
1.. SPDX-License-Identifier: GPL-2.0 2 3=========== 4IPvs-sysctl 5=========== 6 7/proc/sys/net/ipv4/vs/* Variables: 8================================== 9 10am_droprate - INTEGER 11 default 10 12 13 It sets the always mode drop rate, which is used in the mode 3 14 of the drop_rate defense. 15 16amemthresh - INTEGER 17 default 1024 18 19 It sets the available memory threshold (in pages), which is 20 used in the automatic modes of defense. When there is no 21 enough available memory, the respective strategy will be 22 enabled and the variable is automatically set to 2, otherwise 23 the strategy is disabled and the variable is set to 1. 24 25backup_only - BOOLEAN 26 - 0 - disabled (default) 27 - not 0 - enabled 28 29 If set, disable the director function while the server is 30 in backup mode to avoid packet loops for DR/TUN methods. 31 32conn_reuse_mode - INTEGER 33 1 - default 34 35 Controls how ipvs will deal with connections that are detected 36 port reuse. It is a bitmap, with the values being: 37 38 0: disable any special handling on port reuse. The new 39 connection will be delivered to the same real server that was 40 servicing the previous connection. 41 42 bit 1: enable rescheduling of new connections when it is safe. 43 That is, whenever expire_nodest_conn and for TCP sockets, when 44 the connection is in TIME_WAIT state (which is only possible if 45 you use NAT mode). 46 47 bit 2: it is bit 1 plus, for TCP connections, when connections 48 are in FIN_WAIT state, as this is the last state seen by load 49 balancer in Direct Routing mode. This bit helps on adding new 50 real servers to a very busy cluster. 51 52conntrack - BOOLEAN 53 - 0 - disabled (default) 54 - not 0 - enabled 55 56 If set, maintain connection tracking entries for 57 connections handled by IPVS. 58 59 This should be enabled if connections handled by IPVS are to be 60 also handled by stateful firewall rules. That is, iptables rules 61 that make use of connection tracking. It is a performance 62 optimisation to disable this setting otherwise. 63 64 Connections handled by the IPVS FTP application module 65 will have connection tracking entries regardless of this setting. 66 67 Only available when IPVS is compiled with CONFIG_IP_VS_NFCT enabled. 68 69cache_bypass - BOOLEAN 70 - 0 - disabled (default) 71 - not 0 - enabled 72 73 If it is enabled, forward packets to the original destination 74 directly when no cache server is available and destination 75 address is not local (iph->daddr is RTN_UNICAST). It is mostly 76 used in transparent web cache cluster. 77 78debug_level - INTEGER 79 - 0 - transmission error messages (default) 80 - 1 - non-fatal error messages 81 - 2 - configuration 82 - 3 - destination trash 83 - 4 - drop entry 84 - 5 - service lookup 85 - 6 - scheduling 86 - 7 - connection new/expire, lookup and synchronization 87 - 8 - state transition 88 - 9 - binding destination, template checks and applications 89 - 10 - IPVS packet transmission 90 - 11 - IPVS packet handling (ip_vs_in/ip_vs_out) 91 - 12 or more - packet traversal 92 93 Only available when IPVS is compiled with CONFIG_IP_VS_DEBUG enabled. 94 95 Higher debugging levels include the messages for lower debugging 96 levels, so setting debug level 2, includes level 0, 1 and 2 97 messages. Thus, logging becomes more and more verbose the higher 98 the level. 99 100drop_entry - INTEGER 101 - 0 - disabled (default) 102 103 The drop_entry defense is to randomly drop entries in the 104 connection hash table, just in order to collect back some 105 memory for new connections. In the current code, the 106 drop_entry procedure can be activated every second, then it 107 randomly scans 1/32 of the whole and drops entries that are in 108 the SYN-RECV/SYNACK state, which should be effective against 109 syn-flooding attack. 110 111 The valid values of drop_entry are from 0 to 3, where 0 means 112 that this strategy is always disabled, 1 and 2 mean automatic 113 modes (when there is no enough available memory, the strategy 114 is enabled and the variable is automatically set to 2, 115 otherwise the strategy is disabled and the variable is set to 116 1), and 3 means that the strategy is always enabled. 117 118drop_packet - INTEGER 119 - 0 - disabled (default) 120 121 The drop_packet defense is designed to drop 1/rate packets 122 before forwarding them to real servers. If the rate is 1, then 123 drop all the incoming packets. 124 125 The value definition is the same as that of the drop_entry. In 126 the automatic mode, the rate is determined by the follow 127 formula: rate = amemthresh / (amemthresh - available_memory) 128 when available memory is less than the available memory 129 threshold. When the mode 3 is set, the always mode drop rate 130 is controlled by the /proc/sys/net/ipv4/vs/am_droprate. 131 132expire_nodest_conn - BOOLEAN 133 - 0 - disabled (default) 134 - not 0 - enabled 135 136 The default value is 0, the load balancer will silently drop 137 packets when its destination server is not available. It may 138 be useful, when user-space monitoring program deletes the 139 destination server (because of server overload or wrong 140 detection) and add back the server later, and the connections 141 to the server can continue. 142 143 If this feature is enabled, the load balancer will expire the 144 connection immediately when a packet arrives and its 145 destination server is not available, then the client program 146 will be notified that the connection is closed. This is 147 equivalent to the feature some people requires to flush 148 connections when its destination is not available. 149 150expire_quiescent_template - BOOLEAN 151 - 0 - disabled (default) 152 - not 0 - enabled 153 154 When set to a non-zero value, the load balancer will expire 155 persistent templates when the destination server is quiescent. 156 This may be useful, when a user makes a destination server 157 quiescent by setting its weight to 0 and it is desired that 158 subsequent otherwise persistent connections are sent to a 159 different destination server. By default new persistent 160 connections are allowed to quiescent destination servers. 161 162 If this feature is enabled, the load balancer will expire the 163 persistence template if it is to be used to schedule a new 164 connection and the destination server is quiescent. 165 166ignore_tunneled - BOOLEAN 167 - 0 - disabled (default) 168 - not 0 - enabled 169 170 If set, ipvs will set the ipvs_property on all packets which are of 171 unrecognized protocols. This prevents us from routing tunneled 172 protocols like ipip, which is useful to prevent rescheduling 173 packets that have been tunneled to the ipvs host (i.e. to prevent 174 ipvs routing loops when ipvs is also acting as a real server). 175 176nat_icmp_send - BOOLEAN 177 - 0 - disabled (default) 178 - not 0 - enabled 179 180 It controls sending icmp error messages (ICMP_DEST_UNREACH) 181 for VS/NAT when the load balancer receives packets from real 182 servers but the connection entries don't exist. 183 184pmtu_disc - BOOLEAN 185 - 0 - disabled 186 - not 0 - enabled (default) 187 188 By default, reject with FRAG_NEEDED all DF packets that exceed 189 the PMTU, irrespective of the forwarding method. For TUN method 190 the flag can be disabled to fragment such packets. 191 192secure_tcp - INTEGER 193 - 0 - disabled (default) 194 195 The secure_tcp defense is to use a more complicated TCP state 196 transition table. For VS/NAT, it also delays entering the 197 TCP ESTABLISHED state until the three way handshake is completed. 198 199 The value definition is the same as that of drop_entry and 200 drop_packet. 201 202sync_threshold - vector of 2 INTEGERs: sync_threshold, sync_period 203 default 3 50 204 205 It sets synchronization threshold, which is the minimum number 206 of incoming packets that a connection needs to receive before 207 the connection will be synchronized. A connection will be 208 synchronized, every time the number of its incoming packets 209 modulus sync_period equals the threshold. The range of the 210 threshold is from 0 to sync_period. 211 212 When sync_period and sync_refresh_period are 0, send sync only 213 for state changes or only once when pkts matches sync_threshold 214 215sync_refresh_period - UNSIGNED INTEGER 216 default 0 217 218 In seconds, difference in reported connection timer that triggers 219 new sync message. It can be used to avoid sync messages for the 220 specified period (or half of the connection timeout if it is lower) 221 if connection state is not changed since last sync. 222 223 This is useful for normal connections with high traffic to reduce 224 sync rate. Additionally, retry sync_retries times with period of 225 sync_refresh_period/8. 226 227sync_retries - INTEGER 228 default 0 229 230 Defines sync retries with period of sync_refresh_period/8. Useful 231 to protect against loss of sync messages. The range of the 232 sync_retries is from 0 to 3. 233 234sync_qlen_max - UNSIGNED LONG 235 236 Hard limit for queued sync messages that are not sent yet. It 237 defaults to 1/32 of the memory pages but actually represents 238 number of messages. It will protect us from allocating large 239 parts of memory when the sending rate is lower than the queuing 240 rate. 241 242sync_sock_size - INTEGER 243 default 0 244 245 Configuration of SNDBUF (master) or RCVBUF (slave) socket limit. 246 Default value is 0 (preserve system defaults). 247 248sync_ports - INTEGER 249 default 1 250 251 The number of threads that master and backup servers can use for 252 sync traffic. Every thread will use single UDP port, thread 0 will 253 use the default port 8848 while last thread will use port 254 8848+sync_ports-1. 255 256snat_reroute - BOOLEAN 257 - 0 - disabled 258 - not 0 - enabled (default) 259 260 If enabled, recalculate the route of SNATed packets from 261 realservers so that they are routed as if they originate from the 262 director. Otherwise they are routed as if they are forwarded by the 263 director. 264 265 If policy routing is in effect then it is possible that the route 266 of a packet originating from a director is routed differently to a 267 packet being forwarded by the director. 268 269 If policy routing is not in effect then the recalculated route will 270 always be the same as the original route so it is an optimisation 271 to disable snat_reroute and avoid the recalculation. 272 273sync_persist_mode - INTEGER 274 default 0 275 276 Controls the synchronisation of connections when using persistence 277 278 0: All types of connections are synchronised 279 280 1: Attempt to reduce the synchronisation traffic depending on 281 the connection type. For persistent services avoid synchronisation 282 for normal connections, do it only for persistence templates. 283 In such case, for TCP and SCTP it may need enabling sloppy_tcp and 284 sloppy_sctp flags on backup servers. For non-persistent services 285 such optimization is not applied, mode 0 is assumed. 286 287sync_version - INTEGER 288 default 1 289 290 The version of the synchronisation protocol used when sending 291 synchronisation messages. 292 293 0 selects the original synchronisation protocol (version 0). This 294 should be used when sending synchronisation messages to a legacy 295 system that only understands the original synchronisation protocol. 296 297 1 selects the current synchronisation protocol (version 1). This 298 should be used where possible. 299 300 Kernels with this sync_version entry are able to receive messages 301 of both version 1 and version 2 of the synchronisation protocol. 302 303run_estimation - BOOLEAN 304 0 - disabled 305 not 0 - enabled (default) 306 307 If disabled, the estimation will be stop, and you can't see 308 any update on speed estimation data. 309 310 You can always re-enable estimation by setting this value to 1. 311 But be careful, the first estimation after re-enable is not 312 accurate.